In the past, securing SSH on the public internet has been pretty much as easy as (a) keep your OS patched, (b) don’t let root log in with a password, and (c) run fail2ban to stop brute-force attacks.
Unfortunately, it looks like the bad guys have finally figured out how to put their bots to work running distributed SSH brute-force attacks. If so, then fail2ban is no longer going to be good enough, and more sophisticated (and inconvenient) measures are going to be needed.
Prior to December 1, the five machines I maintain with SSH servers accessible to the public have been probed by an average of 13 different IP addresses per day. On December 1, they were probed by 109 different IP addresses, a 738% increase over the prior average. On December 2 and 3, they were probed by 79 and 72 different IP addresses. Not as high as the first day, but still quite a jump!
I saw this increase across the board on five different machines on four distinct networks run by four different network service providers. I’ve been in correspondence with someone at the SANS Internet Storm Center who says he’s seen a similar spike on machines he maintains.
It seems clear to me that someone is engaging in a distributed brute-force attack trying to break into servers as root via ssh.
Since this particular attack is targeted at the root user, you’re safe for the time being as long as you don’t allow root to log in with a password. But it’s only a matter of time before they start attempting distributed brute-force attacks of non-root accounts. When that happens, blocking individual IP addresses with a series of failed login attempts is no longer going to be sufficient.
If you maintain a server whose SSH port is open to the public, please let me know the details if you’re seeing a similar attack on your server (you can post a comment here or email me. In case it is useful, here is the script I have been using to collect and display data from the machines I maintain.
UPDATE: It looks like it’s dying down. As of December 8, SSH brute-force attempts from distinct IP addresses are at or near their pre-spike levels: